Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV
-
Upload
dorothy-welch -
Category
Documents
-
view
221 -
download
0
description
Transcript of Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV
![Page 1: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/1.jpg)
Microsoft Identity Integration Server & Role
Base AccessTheo KostelijkConsultantMicrosoft [email protected]
![Page 2: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/2.jpg)
Agenda• Microsoft Identity Integration Server
Concepts & Architecture (MIIS)• Authorization Manager (AzMan)
![Page 3: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/3.jpg)
What is Microsoft Identity Integration Server?
• Directory Synchronization
• Password Management
• Provisioning and Workflow
Identity DataIdentity Data
LDAPLDAP SQLSQL
NOSNOS
Mainframe/Mainframe/UnixUnix
MIISMIIS
![Page 4: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/4.jpg)
Connectivity in MIIS 2003, Enterprise Edition• Active Directory• Active Directory Application Mode• Active Directory Global Address List (GAL)• Attribute-value pair text file• Delimited text file• Directory Service Markup Language (DSML) 2.0• Exchange Server 5.5• Exchange Server 5.5 (Bridgehead Server)• Extensible Connectivity• Fixed-width text file• IBM DB2 Universal Database• IBM Directory Server• LDAP Data Interchange Format (LDIF)• Lotus Notes• Novell eDirectory 8.6.2 and 8.7• Oracle Database 8i and 9i• SQL Server 7.0 and 2000• Sun and Netscape Directory Servers• Windows NT 4.0
![Page 5: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/5.jpg)
Exchange 5.5Exchange 5.5
Directory Synchronization• Synchronizes multiple repositories• Management agents use
“touchless” connection to other systems
• Provides attribute-level control• Manage global address lists (GAL)• Automate group and DL
management
Active DirectoryActive Directory
NotesNotes
SunSunOneOne
SQLSQL
OracleOracle
MIISMIIS
![Page 6: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/6.jpg)
Directory SynchronisationHRHRSystemSystem
MIIS
LotusLotusNotesNotes
ActiveActiveDirectoryDirectory
APIAPI
APIAPI
LDAPLDAP
LDAPLDAP
DBDB
DBDB
![Page 7: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/7.jpg)
Attribute Flow
![Page 8: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/8.jpg)
Password Management
• Initial password set when provisioning
• Centralized password control via a Web app & ctr-alt-del– Self-service password change– Helpdesk password reset
Active DirectoryActive Directory
Sun OneSun One
Web app &Web app &CTRL-ALT-DELCTRL-ALT-DEL
MIISMIIS
![Page 9: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/9.jpg)
Provisioning & Workflow• Simple Provisioning & De-provisioning
– Provision users as they appear in authoritative systems
– Set initial values for attributes (including password)
– Disable or delete accounts• Complex Workflow
– Initiate workflow or provisioning system– Integrate with BizTalk– Integrate with 3rd party provisioning
systems
![Page 10: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/10.jpg)
Provisioning Scenario
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
DB
LDAP
LDAP
![Page 11: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/11.jpg)
De-Provisioning Scenario
HRHRSystemSystem
MIIS
iPlanetiPlanetDirectoryDirectory
ActiveActiveDirectoryDirectory
DB
LDAP
LDAP
![Page 12: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/12.jpg)
MIIS Architecture
HR AppHR Appwith SQLwith SQL
ActiveActiveDirectoryDirectory
LotusLotusNotesNotes
Metaverse
Connector Space
Metaverse ObjectConnector
Connector Space Object
![Page 13: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/13.jpg)
Authorization ManagerAzMan Advantages
• Centralized authorization policy for multiple applications• The ability to create security groups outside of Active
Directory and managed by the application administrator• The ability to create groups based on the result of an
LDAP query• Relies on a Policy Store for one or more apps
– Delegated Admin (AD & ADAM only)– XML Store – not recommended for Enterprise Apps– Authorized users “Must” have an actual account on the web
server or user account in AD or ADAM
Introduced in Windows Server 2003 – Also available for Windows Server 2000Introduced in Windows Server 2003 – Also available for Windows Server 2000
![Page 14: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/14.jpg)
Authorization ManagerAdvantages
• 3 Key Mechanisms for user Role Assignments:– Membership in AD or Local Server, or AzMan Groups– LDAP Query Groups– BizRules
• Centrally Managed across the organization without managing Web.config files or changing application code
![Page 15: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/15.jpg)
Web ExpenseApplication
Role={Tasks}, Task={Operations}
DatabaseOperation
WebOperation
DirectoryOperation
PaymentSystem
Operation
AdministratorApproverSubmitter
ChangeApprover
ApproveDeny
Payment
ApproveReject
Report
SubmitReport
CancelReport
CheckStatus
![Page 16: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/16.jpg)
AzMan Groups
![Page 17: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/17.jpg)
AzMan Operation Defenitions
![Page 18: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/18.jpg)
AzMan Task Definitions
![Page 19: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/19.jpg)
How to use AzMan in your code?
![Page 20: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/20.jpg)
MIIS & AzMan (HRApp naar MIIS)
![Page 21: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/21.jpg)
MIIS & AzMan (MIIS Naar AD)
![Page 22: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/22.jpg)
MIIS & AzMan (AzMan & AD)
![Page 23: Microsoft Identity Integration Server Role Base Access Theo Kostelijk Consultant Microsoft BV](https://reader035.fdocuments.net/reader035/viewer/2022062504/5a4d1b7d7f8b9ab0599b9c79/html5/thumbnails/23.jpg)